The latest bug "facilitates full Java sandbox bypass on latest Java 7 Update 7," Adam Gowdiak, the CEO of Poland-based Security Explorations, wrote in an e-mail to Ars. His team developed proof-of-concept code and delivered it on Friday to Oracle engineers. The discovery of the new critical bug was reported earlier by IDG News. There are no reports that it is being exploited online.

"The total hunt took about 2-3 hours," Gowdiak wrote. "It was done yesterday in the evening. The discovery was made [as] a result of a manual analysis of Java code (its implementation)."

Gowdiak declined to discuss technical details out of concern that they may make it easier for criminals to exploit the flaw in e-mail- or Web-based attacks. He said the discovery came "while trying to fix the proof-of-concept codes that stopped working after applying the recent Java patch."

An Oracle spokeswoman responding to a request for comment referred Ars to this advisory, which was published with Thursday's update. She and other representatives didn't respond to a follow-up e-mail informing her that the advisory was published before the most recent vulnerability was discovered.

This week's attack, and Oracle's lack of public response to them, has renewed calls by many—this reporter included—to remove Java from computers that don't use the cross-platform framework. Many programs that claim Java is required work fine, or almost as well, without the Oracle software, as confirmed by at leasttwo Ars readers on Thursday. Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported, users may want to remove Java plugins from their browsers if the websites they regularly visit don't require it. The removal advice has proved controversial to some, so Ars readers are encouraged to decide for themselves. (Oracle's official Twitter account for Java has also disagreed with the advice.)

Two of some 19 bugs that Gowdiak's firm reported in April were among those combined in the latest proof-of-concept attack to completely bypass the security sandbox Java relies on to ensure untrusted code can't access sensitive operating-system functions. Some of the remaining holes still haven't been plugged, and when linked to the latest discovered flaw, attackers could once again have the ability to escape the safety perimeter.

Said Gowdiak: "When combined with some of the April 2012 issues, the new issue allows [one] to achieve a complete [Java virtual machine] sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on August 30, 2012)."

Promoted Comments

From the article: "Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported..."

Except this Mac user has no problems using Adobe Photoshop and Dreamweaver (CS6) on a Mac (10.6.8) with Java disabled via the Java Preferences.app.

Now, it may be that the installer won't install without Java being at least physically present, and it may be that certain collaborative features don't function as intended without Java enabled, but the Adobe applications I use on a regular basis don't seem to be complaining!

Certain chemistry-related web tools will require me to turn Java back on periodically, but I really don't use them often enough to worry about it; much easier to leave it off until needed.

I lost a lot of respect for many Ars readers (and Ars as a whole) here today.

I thought we were supposed to be a technical audience? If so, why is it that so many people posting in here seem to think that because at least one serious exploit exists in the Java framework that the reasonable course of action is to either uninstall it completely from all of their machines, or to disable it and cripple it so as to render it completely unusable until you need it? This is what I would expect a sales associate at Best Buy to recommend to someone because they don't have a great understanding about what Java actually is.

Those of us who know and understand a lot more than that and have some experience under our belts know that this is a commonplace problem for many other software frameworks as well, it's nothing new. Some people are treating it like it's the freaking apocalypse!

Sure, Oracle has gone full retard with this whole situation, and may arguably have even ruined how stable Java used to be, but this is FAR, FAR, FAR, FAR, FAAAAAAAR from a reasonable reason to declare a war on Java by removing it from everything you can.

This is going to blow over. It always does. Welcome to the industry.

I'm not doing anything to my Java installation (I use the SDK frequently, but that's besides the point). Nothing's going to happen, seriously. Only if you go to some shady website, and I thought most of us here were smarter than that.

So are you saying the only people who get exposed to drive-by exploits are those who visit porn or warez sites? If so, that's a breathtaking statement that was proven false years ago. Witness:

Think about your PC for a moment. Strike that, think about a generalized computer. There are only two ways in which a remote site can interact with that computer:

A) If the computer has a service listening on a port (i.e. it's acting as a server);

B) If the computer initiates contact with another computer (i.e. you're browsing the web or checking email).

Now, A pretty much goes away if you're running a firewall, doubly so if you're also running a NAT firewall/router on your home network. If you don't have any services listening on any ports, OR you've got them all firewalled off, it is simply not possible for another computer to initiate any sort of communications with your PC. That leaves B.

With respect to B, you're using your web browser, email software, or usenet client (heh heh -- right?). If you don't have a Java plugin running in your browser, email software, or usenet client, there isn't any Java in your "attack surface". Zip, nada, zilch. Without that plugin, there is absolutely no way on Earth any other computer can do anything to your PC that you could blame Java for.

Simply having Java does NOT mean it's a part of your "attack surface". You have to look at the boundaries, the ways in which your PC initiates communications with the outside world. What comes in, what goes out, and how it's processed.

If your Java isn't doing anything with the network, it's not part of your "attack surface".

NOTE: Someone said yesterday that if they could get access to your PC, they could run some kind of poison Jar file on it and that means Java's still a problem. I replied that if they're already running stuff on your PC, you're already pwned, so why bother messing with Java? They already have you at that point. They could even install Java if they wanted. As I told him, Java on the desktop doesn't have a sandbox anyway -- it runs with your user privileges like any other program. This is all about the browser, and nothing but the browser.

I'm unsure at this point, if you are just on a personal crusade to drag Java as a language through the mud, or if it's just more knee jerk reaction from someone who isn't doing anything but reporting things that have been discovered by others, and throwing a bit of sensationalism to keep Conde Nast happy.

At either rate, you aren't defining the attack vector, and you aren't making a clear definition of how modular Java is and instead are giving the kind of advice that I'd expect from an employee at Best Buy.

I completely agree that if a user isn't using an application, and if the application has become a significant risk to security, then the application should be removed.

The problem here, and why I think some of us are getting hot-under-the-collar, is that the article doesn't make clear what the exact attack-vector is, so the only thing we really know is that the attack-surface is the JVM. But the JVM is *not* an application! It is a platform that can take on a multitude of different forms (server-side, client-side, android, browser-plugin, etc). There are also two supported versions by Oracle, JVM 6 and JVM 7. This situation is similar to Microsoft Windows XP vs Vista. In fact it's worse, since the JVM really tries to act like a cameleon (unsuccessfully)...ideally you shouldn't even know if you're using it or not.

So from a developer's POV, your advice in the article is tantamount to advising users to abandon a platform because there were bugs found in it. And you're getting the same vitriol as if you were to advise people to uninstall Windows because Vista was buggy, or to switch to iOS because a particular version of Android is buggy. Some people shout hallelujah while others gnash their teeth.

Now no one can disagree with you that uninstalling the JVM completely would fix the issue, but it is the most extreme approach. I think equally valid advice would be to treat the JVM like any other platform: stay on the current version until the next one gets figured out. Or if that doesn't happen, find a better platform. Surely you've done this with OS X, Fedora, Debian, Windows, Ubuntu, KDE4, whatever...

I'd love a better/more-open VM, but right now the JVM is really the gold-standard (CLR is a non-starter for me). Folks are using it for high-performance computing (Hadoop, Lucene, etc.) and they're using a form of it on their devices (Dalvik, Android). It would just be a terrible thing to have it fail so completely on the desktop. This isn't like flash, people. Ah, c'est la vie.

By the way, would it be too much to ask to get some Editor's Picks for the pro-JVM side? Surely they weren't all bad?

Does somebody remember if Java ever had these sort of issues during the good old Sun Microsystems days? For what I remember, back in the days it used to be so that from time to time Javascript had serious issues and needed to be disabled and people were reminded that Java is a different thing. Now the roles have changed.

I mean this is getting ridiculous. First Oracle doesn't do anything for months to fix critical vulnerabilities, and once they do, there is a new critical issue that outsiders can find in hours. Is Oracle trying to kill Java on purpose or is it just that they just don't care?

Java will never be secure while its principal developer is Oracle. They've made it clear that the only thing they wanted from the Sun acquisition was a reason to sue google. They'll let all the Sun assets die by degrees in malignant neglect.

Speaking of Google, aren't you glad that the courts decided that other developers didn't have to adhere to Oracle's implementation of Java?

Haven't used Java since it was removed from the default install of Mac OS. Took some effort to switch apps in the beginning but after this and all those java based malware threats during the last couple of months i would say it is definitely worth it.

Does somebody remember if Java ever had these sort of issues during the good old Sun Microsystems days?

Java has always had a bit of an ongoing security problem, but to the best of my memory (and I am a little too young to say this with much authority, but my older peers seem to agree) Sun was generally reasonably responsive and upfront.

edit, I forgot to express that I am currently throwing a hissy fit in my cube because we just can't win.

Spends months bogged down in QA hell, boooo. Got an OOB patch out in a few days after it went wild, yaaaay. Oracle totally blew off publicizing the problem, boooo. Oh, the fears that the problem is too complicated to fix in a quickie patch have proved true, double triple ARRRGH.

Java will never be secure while its principal developer is Oracle. They've made it clear that the only thing they wanted from the Sun acquisition was a reason to sue google. They'll let all the Sun assets die by degrees in malignant neglect.

Speaking of Google, aren't you glad that the courts decided that other developers didn't have to adhere to Oracle's implementation of Java?

Not sure if trolling or ...

First of all - Oracle had plenty good reasons to buy Sun... stuff like controlling the software you depend on, own an own hardware/software platform etc. The only thing I am sad about that they dropped ZFS for BTRFS because it was such a good FS (and Apple + Microsoft both might have used it - now there is only exFAT) but thats understandable. Typical case of NIH.

Now your Google Fandroid thing: Anybody can implement his own version of Java. Always could. Apple did so for many years. The only thing Oracle wanted was that every implementation of Java can run all Java programs which is pretty understandable because otherwise it could create a whole lot of fragmentation. Apps written for Apple Java/Iced Tea wouldn't run on windows and so on, which would undermine their write once run everywhere principle.

From the article: "Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported..."

Except this Mac user has no problems using Adobe Photoshop and Dreamweaver (CS6) on a Mac (10.6.8) with Java disabled via the Java Preferences.app.

Now, it may be that the installer won't install without Java being at least physically present, and it may be that certain collaborative features don't function as intended without Java enabled, but the Adobe applications I use on a regular basis don't seem to be complaining!

Certain chemistry-related web tools will require me to turn Java back on periodically, but I really don't use them often enough to worry about it; much easier to leave it off until needed.

It's not like I have boat loads (yacht loads?) of time to spend updating my servers. Especially my Xen servers, which have to be drained of users, rebooted, and updated.

So, if your programming team would take some more time and catch all the critical bugs *before* new releases, that would be great. That way I don't have to update your fucking software 3 times in one week.

Sigh... From what I've been reading on the Register and other sites, this new vulnerability is due to some of the OTHER things reported to Oracle back in April, which they didn't patch when they patched that other thing they patched.

Somebody asked yesterday, whether some of the 14 OTHER bugs not yet patched could be a problem. I didn't think we'd get an answer THIS quickly!

(Checking OpenJDK...)

Looks like this morning, Red Hat has put in some more fixes on OpenJDK (hardening AWT to prevent the 0Day attack):

And before we get into another huge discussion about removing Java from everyone's machine, try to remember:

1) This is STILL only a browser plugin problem, and you can get rid of the browser plugin without losing anything worthwhile;

2) For the past twenty years, Windows has given us a non-stop parade of vulnerabilities much worse than this, and fixed them a lot more slowly (if at all), and nobody batted an eyelash so let's have some perspective.

Anyone with Java still installed at this point is begging for trouble.

Useful products use Java, including CrashPlan.

For a slightly less reactionary approach, those who do use Java apps can at least disable web-start applets and plugins, both in browser settings and in the Java control panel for your particular platform.

I agree with preventing Java from starting unintentionally from an untrusted source, but there's no need to go all nuts and start tearing Java out of your system.

Sort of, but more fundamentally Adobe is making a long delayed exit from that area entirely. The parallels between Adobe/Flash and Oracle/Java are actually pretty interesting. In both cases, the technology was not developed in-house but rather came through acquisition of the original developer, driven heavily by other properties. Neither technology was a core competency or area of focus for the new parent, and both came with widely deployed ecosystems and the associated responsibilities.

For Adobe, I have long believed that Flash was pretty much an infection they inherited with Macromedia. Adobe is a tool company, and they built most of their success and reputation on making the best tools to work on content, regardless of whatever the input and output formats were. Then came the acquisition and with it Flash, which was all about the format, rather then the tool. Adobe did make some money continuing to develop/sell the major Flash development program, but they didn't need to own the format to do it, and if they hadn't then they could have been a lot faster in working to also make a premier HTML/JS development program. Having the programming language/format itself nestling at Adobe created both perverse incentives and a lot of bad PR. Security bugs in Photoshop don't tend to make front page news (and there is barely any attack surface in the first place). Adobe was not good at Flash and it caused them a ton of trouble as a result of natural economics as much as anything. Monetization was always dubious, and the doubters proved to be correct.

Now it's almost like we've taken a warp back to 2005, except with Oracle in the place of Adobe and Sun in the place of Macromedia. Oracle is also trying to hang on to all the cards, isn't that great at it, and is now also opening itself up to a brand new, and much more public/consumer facing, area of PR. It's true that Oracle is much more dependent on Java then Adobe was on Flash, but even so it's weird to see so much overlap with so few lessons apparently learned. I think Java will, in the long term, be significantly damaged if Oracle doesn't do a bit of a course change.

Pusher wrote:

The article doesn't state what permissions the attackers have once they escape the sandbox. Are they escalated privileges or are they limited to the permissions of the current user?

It almost doesn't matter. Even when the local user is running with restricted permissions that still leaves a lot of mischief for a program to get up to. Local escalation bugs seem to pop up more often then automated remote exploits as well. They're normally very limited in scope, because if an attacker can get a user to run their program themselves why not just ask for permission (most users will just say "sure") and go the standard trojan route, but they're there waiting to be combined with something like this. Finally, speaking of social engineering, if someone can get their program to run on a system outside of the web browser social attacks can become a lot more effective.

Certain chemistry-related web tools will require me to turn Java back on periodically, but I really don't use them often enough to worry about it; much easier to leave it off until needed.

Don't forget that you can use a VM to isolate most stuff you consider risky pretty easily. That won't be applicable to certain programs (deet mentioned the excellent CrashPlan for example) but it's convenient and a good tool to make use of. If your browser supports whitelisting plug-in usage then that's another way to more easily control usage of various plug-ins. Firefox supports multiple profiles, so you could make it a simple relaunch affair (or you could run multiple browsers for that matter).

deet wrote:

jackstrop wrote:

Anyone with Java still installed at this point is begging for trouble.

Useful products use Java, including CrashPlan.

For a slightly less reactionary approach, those who do use Java apps can at least disable web-start applets and plugins, both in browser settings and in the Java control panel for your particular platform.

I agree with preventing Java from starting unintentionally from an untrusted source, but there's no need to go all nuts and start tearing Java out of your system.

I think it's worth acknowledging both sides here. Some very useful programs do still make use of Java, and if a person simply removes it from the context of their general browsing then it fades as a threat. At the same time, it's perfectly likely in consumer areas that someone will be running no Java-using tools of any kind. It's always had more success server-side, and in business. As general rule, "eliminate anything not required" isn't a bad conservative approach to take for security matters.

But if *I* were to build myself an entire Japanese medieval village/palace/whatever, I'd go the whole nine yards. I'd hire three groups of actors: Ninjas, Samurai, and Portuguese sailors. At random times during the day, someone would (for example) bang one of those Buddhist gongs, and the three groups would go berserk for, say, ten minutes, then disappear again. So you'd be having breakfast somewhere, you'd hear "BONG" and all of a sudden, twenty guys would be going nuts all around you. Then, for no apparent reason, they'd scatter in all directions and disappear. And I wouldn't warn any of my guests or business meetings about it beforehand. I might tip off the bodyguards to avoid unfortunate incidents, but that's about it.

But Larry Ellison, with all his money, just built the village and let it go at that. No ninjas, no samurai, no sailors. Talk about only taking things halfway! Sort of like their patch...

Hey, Larry, you know how Sun spun off NetBeans into an independent organization, and ever since then they've been kicking ass and taking names? Every single version is better than the last, and you never hear about ANYTHING going wrong with their products...

Well, why don't you spin off all Java development into an 'OpenJDK Foundation" and let them produce one, single JDK/JRE that everyone can use? Not OpenJDK, Oracle JDK, IBM JDK... That's just ridiculous. Give up control to one organization whose only purpose of existence is maintaining the Java codebase.

Think about it this way: it'll let you focus on the Oracle database and your other primary software projects, from which you already make enough money to buy things like replica Japanese villages and islands and gigantic yachts the size of cruise ships and whatnot.

Serious. I will do you the courtesy of not asking, though I have equal reason to.

Quote:

First of all - Oracle had plenty good reasons to buy Sun... stuff like controlling the software you depend on, own an own hardware/software platform etc. The only thing I am sad about that they dropped ZFS for BTRFS because it was such a good FS (and Apple + Microsoft both might have used it - now there is only exFAT) but thats understandable. Typical case of NIH.

Those 'good reasons' stop holding water when they let the 'software they depend on' fall apart through creeping neglect.

Quote:

Now your Google Fandroid thing: Anybody can implement his own version of Java. Always could. Apple did so for many years. The only thing Oracle wanted was that every implementation of Java can run all Java programs which is pretty understandable because otherwise it could create a whole lot of fragmentation. Apps written for Apple Java/Iced Tea wouldn't run on windows and so on, which would undermine their write once run everywhere principle.

Oracle has already demonstrated serious, steadily heightening negligence their stewardship of Java. When-- and it's now sensible to say when, not if-- that negligence starts manifesting in poor design specs**, we'll all be happy that others can write implementations that aren't locked to Oracle's specs.

**Android has enough problems with its own poor design specs. Wakelock, for instance.

I still don't understand why people want to use Java. I've always found it to be a resource hog will poor performance. Can we just get rid of it already?

As a Java programmer who had used many other languages, I can only say that Java is the most programmer friendly of them all.

As an architect of several Java-based high traffic web sites, I can only say that poor performance is a myth, you can achieve some serious performance figures with Java.

As a Java fan, I can only say that it had a good run. Or not really in browsers... ever... but otherwise... Then Oracle came, destroyed its reputation, and you know how hard that sort of problem is to fix. I, like many others, had a bad feeling when that Sun acquisition was announced. Now I feel even worse.

Anyone with Java still installed at this point is begging for trouble.

Seems somewhat overreactionary, but OK.

I still have Java on my machines but disabled all the applet capabilities and the Java webstart stuff. Java still has many uses and not everyone can just get rid of it entirely and wash their hands of the issue.

Notch doesn't have the skill to do that, otherwise he would have from the start tbh.

MarkIt wrote:

Does somebody remember if Java ever had these sort of issues during the good old Sun Microsystems days? For what I remember, back in the days it used to be so that from time to time Javascript had serious issues and needed to be disabled and people were reminded that Java is a different thing. Now the roles have changed.

Correction: the ECMAscript specification wasn't what had the "serious issues" that you describe; that would be the browser implementations that improperly handled it.

If there was any decent alternative to jDownloader I would have uninstalled Java by now. I've already got it disabled in the browser but sadly, after trying about 3-4 alternatives, none of them match the ease of use or functionality of jDownloader.

I lost a lot of respect for many Ars readers (and Ars as a whole) here today.

I thought we were supposed to be a technical audience? If so, why is it that so many people posting in here seem to think that because at least one serious exploit exists in the Java framework that the reasonable course of action is to either uninstall it completely from all of their machines, or to disable it and cripple it so as to render it completely unusable until you need it? This is what I would expect a sales associate at Best Buy to recommend to someone because they don't have a great understanding about what Java actually is.

Those of us who know and understand a lot more than that and have some experience under our belts know that this is a commonplace problem for many other software frameworks as well, it's nothing new. Some people are treating it like it's the freaking apocalypse!

Sure, Oracle has gone full retard with this whole situation, and may arguably have even ruined how stable Java used to be, but this is FAR, FAR, FAR, FAR, FAAAAAAAR from a reasonable reason to declare a war on Java by removing it from everything you can.

This is going to blow over. It always does. Welcome to the industry.

I'm not doing anything to my Java installation (I use the SDK frequently, but that's besides the point). Nothing's going to happen, seriously. Only if you go to some shady website, and I thought most of us here were smarter than that.

@MarkIt: What alternatives do we have? I mean, in terms of enterprise development? Not too many, right?

* C# is probably the main alternative. Mono, under Linux. I don't think MonoDevelop is anywhere near as good as NetBeans, and Visual Studio requires Windows and costs a pile of money. Although Mono for Android looks pretty impressive...

* C and the QT libraries, or maybe OpenGL, with Objective C for OOP? Maybe, but then you've got to recompile for every platform you want to serve. Still, C's pretty good. At least it's not C++...

* Perl and the Perl GUI libraries? I've developed that way, it wasn't terrible, but it wasn't as good as Java. I think Perl is better for O/S level scripting, like file processing.

* Any of a number of other scripting languages? Don't get me started. Awful across the board. None of them are a proper software engineering tool. Kids like them because they have short learning curves, but that'll only get you so far. What happens when you or your project outgrow the tool?

Sigh... At least I can stay in the C family of languages. C's pretty rocking. And I like where Mono's going, particularly when it comes to cross-platform mobile development (you can get Mono for both Android and iPhone now, develop on Linux and roll out to both platforms, very nice).